Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
IBM i network sign-on makes it AV:N; any authenticated user profile suffices so PR:L; no user interaction needed; successful library-list hijack yields administrator-level code execution, giving C:H/I:H/A:H.
Primary rating from Vendor (ibm).
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionNVD
IBM i 7.6, 7.5, 7.4, and 7.3 could allow a user to gain elevated privileges due to an unqualified library call. A malicious actor could cause user-controlled code to run with administrator privilege.
AnalysisAI
Privilege escalation in IBM i versions 7.3, 7.4, 7.5, and 7.6 allows an authenticated user to execute attacker-controlled code with administrator privileges due to an unqualified library call (CWE-427, uncontrolled search path). No public exploit identified at time of analysis, but IBM has released a patch and rated the issue as high severity (CVSS 8.8) given the low complexity and high impact across confidentiality, integrity, and availability.
Technical ContextAI
IBM i (formerly OS/400 / i5/OS) is IBM's integrated operating environment for Power Systems, where programs are resolved through a per-job library list rather than fully qualified paths. CWE-427 (Uncontrolled Search Path Element) in this context means a system or trusted program invokes another program or service program by name without qualifying its source library, so whichever library appears earliest in the user's library list supplies the object. If a lower-privileged user can place a malicious object with the same name in a library that precedes the legitimate one, the trusted caller - running under an adopted authority or higher-privileged profile - will load and execute the attacker's code. The affected CPE is cpe:2.3:a:ibm:i:*:*:*:*:*:*:*:*, covering supported IBM i releases 7.3 through 7.6.
RemediationAI
Patch available per vendor advisory: apply the IBM-issued PTFs for each affected release (7.3, 7.4, 7.5, 7.6) as listed in IBM Support advisory https://www.ibm.com/support/pages/node/7275756; the input does not enumerate a single exact fix version, so administrators must select the PTF group matching their installed release. As compensating controls until PTFs are applied, restrict interactive and remote sign-on for non-administrative profiles (limit users with *USE authority to QSYS and avoid granting *CHANGE on shipped libraries), audit and trim user library lists (QUSRLIBL, QSYSLIBL) so attacker-writable libraries cannot precede IBM-supplied ones, and review object authorities on any library where ordinary users have *ADD or *CHANGE - note that tightening library list policy can break poorly-written application installers that depend on writing into shared libraries, so test in a staging LPAR first.
Same weakness CWE-427 – Uncontrolled Search Path Element
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36250
GHSA-45c2-g3rg-fwmg